Email this article to a friend

Air Force banking on role-based authentication system to lock down data

Agencies continue to struggle to have a good model to ensure their employees have
access to only the information they are supposed to have access to. But at
least one agency is close to answering this long-standing challenge.

The Air Force is launching a pilot to test role-based authentication. The idea is
to have an enterprise security approach that approves access to data based on the
employees' roles and responsibilities.

Frank Konieczny, the Air Force's chief technology officer, said as agencies move
to a Web services approach to networks — where applications place a call to
a
database and pulls data back to the user — the need to authenticate the user
is
growing.

"The pilot we started about a year ago. We have a system integrator actually doing
it. We are in testing right now in a MilCloud environment that we are trying to
actually connect a real app to it to validate it," Konieczny said Wednesday at the
Federal Forum conference sponsored by Brocade in Washington. "It's based on
attributes for each individual in a sense that as soon as the person's attributes
change, their role changes, and we automatically authenticate for particular
access
to data or particular systems."

Once the Air Force validates the technology with the initial application,
Konieczny said the service will require all new software to implement this
role-based authentication capability.

"We need to get to the point where we actually are defending the data," he said.
"That's one of the big rocks in the Joint Information Environment — identity
management. We want to make sure that that's one of the ones we are working on
right now. We've actually pushed this into the JIE framework as one of the
frameworks they should consider for identity management in the JIE."

A new threat vector

The JIE is an umbrella term to address standards, consolidation and information
sharing across all military services and agencies. The Defense Department is
requiring services and agencies to take part in the JIE, in part, by
modernizing their networks to meet the program's goals.

The Air Force's implementation of role-based authentication is both part of the
JIE and part of the increased protection against insider or outside threats to its
data.

"It's really a change to data security. We've seen network security work, and we
still have network security. But we are trying to guard the data now more than
anything, because that's what the bad guys actually want to get after. They
want to exfiltrate it or change it," Konieczny said. "That's the real threat
vector we are up against right now."

Konieczny said the technology is in addition to DoD's requirement for military
and civilian employees to use their Common Access Card to log onto the network.

Konieczny said every agency understands more and more that the need to protect
data is paramount. To that end, agencies will apply this type of role-based
authentication to more and more systems.

"We've been sharing the pilot with everybody. Actually, we are trying to test it in
MilCloud, which is DISA's JIE offering, and also we probably will test it in
the test core data center that DISA is establishing," he said. "We've gotten
inputs from all of the services and will continue to do so."

Full production in 2015

The feedback is important because DoD faces challenges many agencies do not. Konieczny said one big
challenge is using this technology in the tactical
environment.

"You really can't connect to a centralized location for information, so there has
to be a way of moving it out, keeping it updated in the tactical environment via
satellite communications or something, or actually having them run by themselves
and have some administrative rights at that point in time," he said.

Konieczny said he thinks the role-based authentication technology is about six
months away from going into full production. He said the Air Force is looking at
application compatibility to work with it when it goes into full production.

He said part of the reason for bigger focus on data security comes from how
computer networks are morphing to include airplanes, satellites and even drones.
The Air Force wants to get to a single unified network that needs to be managed as
an entity.

Konieczny said under the JIE framework, network management comes back to
applications, because that's where the mission gets done.

"At the base, you can have mission essential applications only, and they are
connected via network to the base so that if the major communication goes out to
the JIE wide-area network, if you will, the base can still operate," he said. "The
base operations for the Air Force is like the air operations center where they
communicate accordingly with the airplanes and everything else. So this network is
much larger than you think it is, even though we say it's sitting on the base.
It's
an extension of the base into the real atmosphere out there and to whatever it
does. Also, you have to think of it as the drones sending information back. We
have lots of intelligence, surveillance and reconnaissance videos coming in,
petabytes of data per second. So that's part of the network and how is that going
to be affected by anything we do?"